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Request for Proposals for providing 
Certification of Compliance with the 
European Self-Regulatory Programme 
on OBA 


Date: 10 October 2012 


1. Background: 

The European Interactive Digital Advertising Alliance (EDAA) is a non-profit association 
registered in Brussels, Belgium. EDAA manages the Self-Regulatory Programme on Online 
Behavioural Advertising, which is based on the signatory-based IAB Europe Online Behavioural 
Advertising Framework (hereafter referred to as the ‘IAB Europe OBA Framework’) as an 
integral part of the European Advertising Standards Alliance’s (‘EASA’) comprehensive self- 
regulatory Best Practice Recommendation (‘BPR’) for Online Behavioural Advertising (OBA). 


The IAB Europe OBA Framework lays down a structure for codifying industry good practices 
and establishes certain Principles to increase transparency and choice for web users within the 
European Union (‘EU’)/European Economic Area (‘EEA’). The Principles are intended to apply 
consumer friendly standards to Online Behavioural Advertising (OBA) and the collection of 
online data in order to facilitate better alignment of the users’ expressed preferences and 
industry practice. 


Under the terms of the Principles, companies shall self-certify their compliance within 6 months 
from the signing date; in order to become recognised as fully compliant and be granted the 
corresponding trust seal, signatory companies acting as Third Parties must undergo an 
independent certification process, with an approved Certification Provider. This document, 
therefore, is a Request for Proposals addressed by EDAA to companies wishing to act as 
Certification Providers in the EU/EEA. 


2. Deliverables: 
Key deliverables are: 


1. Certification of signatory companies’ compliance with the requirements of the IAB 
Europe OBA Framework, including renewal of certification at regular intervals (as yet to 
be defined) 


2. Ongoing monitoring of compliance with the requirements of the IAB Europe OBA 
Framework 


3. Reporting of aggregated compliance-related data 


2.1. Certification of compliance with the requirements of the IAB Europe 
OBA Framework 


Certification Providers should be able to provide independent third-party audit and certification 
services for the signatories of the IAB Europe OBA Framework. This should be done by verifying 
whether or not signatory companies are satisfying the compliance criteria detailed in the Self- 
certification criteria for signatories of the IAB Europe OBA Framework, attached in Annex 1. 


Once certified by a Certification Provider, a signatory of the IAB Europe OBA Framework will 
receive a periodically renewable trust seal. The trust seal has been developed and will be 
maintained centrally by the European Interactive Digital Advertising Alliance - ‘EDAA’, and will 
be granted to companies by approved Certification Providers. 


In order to provide certification services and to grant the trust seal, companies should be able 
to: 
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a) assess whether the processes put in place by a signatory company in order to meet its 
obligations under the IAB Europe OBA Framework are adequate. The proposed 
methodology for conducting this third-party verification is to be outlined by the 
Provider as part of the technical dossier submitted in reply to this RFP. The audit or 
verification of the signatory company’s processes needs to be done before the trust seal 
can be awarded, and periodically after the initial awarding of the seal. The frequency is 
to be proposed by the Provider as part of the technical proposal answering this RFP. 


and 


b) monitor the compliance of their signatory clients with the IAB Europe OBA Framework 
for a period of at least 30 days before granting the seal (for further details please see 
section 2.2 below). 


2.2. Monitoring of compliance with the IAB Europe OBA Framework 


In addition to the periodical assessment of processes referenced above, the Certification 
Providers will provide continuous monitoring of compliance of their signatory customers. The 
continuous monitoring of compliance services will cover the following: 


1. Ad Marker - checking that the Ad Marker is consistently used according to the attached 
Technical Specifications for implementing the IAB Europe OBA Framework and EASA 
BPR in Europe and Self-certification criteria for signatories of the IAB Europe OBA 
Framework. 


2. Integration with the OBA User Choice Site (www.youronlinechoices.eu), where relevant 
- checking that the signatory’s integration with the OBA User Choice Site works 
consistently across time: 


a. Monitoring opt-out failures 


b. Monitor the availability of the signatory’s integration mechanism with the OBA 
User Choice Site 


The monitoring services will be provided by the Certification Providers for the following 
purposes: 


a) Initially, award of the trust seal 
b) Periodically, renewal of the trust seal 


c) Onan ongoing basis, collection, storage and provision of detailed data for 
complaints-investigation purposes to the investigating body, should the 
compliance of their signatory clients be investigated by a Self-Regulatory 
Organisation (‘SRO’) or other similar organisations. 


2.3. Reporting of aggregate compliance-related data 


Independent of the services provided to the signatory companies, the Certification Providers 
will commit to making available data to EDAA to enable it to compile aggregated reporting data 
and statistics e.g. for reporting to regulatory authorities and to allow EDAA to assess whether 
the licensees of the OBA Icon are using it as intended. 


The aggregate reporting data will include datasets such as: 


1. Updated list of signatory clients, along with their respective status (i.e. ‘Certified’, ‘In 
Progress’, ‘Certification withdrawn’); 


2. Number of icons served over time, with breakdown on signatories; 


3. Summary of compliance-related incidents, such as failures of the opt-out tool, number of 
user complaints and their respective status, with breakdown on signatories. 


The aggregate reporting data is to be submitted regularly, on a schedule agreed with the EDAA. 


The aggregate reporting data is to be submitted in a format proposed by the Certification 
Provider and agreed with the EDAA. 


3. Fees: 

While the principle under which the Certification Providers operate is their independence from 
the online advertising industry, it is envisaged that Certification Providers will pay a processing 
fee of 10,000 EUR to EDAA. EDAA’s acceptance of Certification Providers shall be renewed 
annually, and the processing fee will be paid accordingly. 


4. Assumptions and Agreements: 
Certification of compliance cannot be provided to non-signatories of the IAB Europe OBA 
Framework; that is, vendors must commit not to offer such services to non-signatories. 


Should the Certification Provider deliver the OBA Icon on behalf of their signatory clients, the 
responsibility for acquiring the licence to use the OBA Icon rests exclusively with the signatory 
clients. 


The number of Certification Providers in Europe is not limited; however, Certification Providers 
will undergo an approval process with the EDAA, in order to make sure that they have the 
necessary technical, legal and business expertise to perform such activities, as well as the 
necessary resources. The approval process will also ensure consistency of approach across 
Europe, both in terms of criteria and procedures for granting the trust seal. 


In order for a company to be eligible to act as a Certification Provider, the company must show, 
as part of the submitted proposal, independence from online advertising companies. 


Though the trust seal has been developed by the EDAA, the responsibility for hosting and 
delivering it rests with the Certification Provider. 


5. Required Proposal Format: 
The submitted proposal must contain the following sections: 


1) Presentation Section, detailing: 
a) General company information; 
b) Expertise with regard to the provision of Third Party Auditing services; 
c) Geographical reach, worldwide and/or within Europe; 


d) Technical expertise related to the monitoring of online activities; 


2) 


3) 


e) 
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A statement of independence from online advertising companies. 


Technical Proposal section, detailing: 


a) 


b) 


c) 


d) 


Methodology for the assessment of signatory companies’ processes, as per Section 
Ze 


Methodology for continuous/ongoing monitoring of compliance as per Section 2.2; 
While the final methodology needs to be agreed with the EDAA, companies should 
propose such a methodology in their Technical Proposal dossier; 


Methodology and format for reporting aggregated data to the EDAA, as per Section 
2.3% 


Should a company wish to provide both services of delivering the OBA Icon and 
Certification of Compliance for the same client, the Technical Proposal should detail 
how the independence of the two services will be ensured, avoiding any potential 
conflict of interests; 


Proposed process for withdrawing the trust seal should the signatory client become 
non-compliant. While the final process will be decided by the EDAA, companies 
should propose such a process in their Technical Proposal dossier. 


Note: 


Under certain circumstances the SRO investigating a signatory company, following a 
predetermined set of rules, may request the Certification Providers to remove the 
trust seal. Certification Providers must accommodate this request in their proposed 
processes, ensuring immediate withdrawal of the trust seal from any company 
deemed to be non-compliant by the SRO. 


Financial Proposal section, describing the fees that are to be charged to the signatory 
companies for the service of auditing and certification; should the business model or the 
fee level be different across European Union/European Economic Area, details are 
required. 


The submitted proposal must also specify if the company will commit to all European Economic 
Area country markets. If the case, it should be specified whether the company will use local 
partners or not. 


6. Timeline: 


6.1. 


SUBMISSION DEADLINE: 


The proposal has to be submitted by Wednesday, October 31, 6 PM CET. 


6.2. 


Questions and clarifications: 


Companies should allow for a period of 2 weeks after the submission of their proposals for 
questions and clarifications from the EDAA. 


6.3. Assessment of proposal and publishing the results: 


The results of the assessment process will be published within 3 weeks following the 
submission deadline. 


7. Proposal to be submitted to: 
EDAA, Ionel Naftanaila, Project & Technical Manager, ionel.naftanaila@edaa.eu 


8. Basis for Award of Contract: 
Combination of methodology, expertise of contractor and lowest fees charged to the market. 


9. Contact for Additional Information or Clarification: 
Ionel Naftanaila 


Project & Technical Manager, EDAA 
Phone: +40 (0)723 21 67 05 
Email: ionel.naftanaila@edaa.eu 


# # # 

The European Interactive Digital Advertising Alliance is a non-profit organisation based in 
Brussels and is responsible for enacting key aspects of the self-regulatory initiative for Online 
Behavioural Advertising (OBA) across Europe. EDAA principally acts as the central licensing 
body for the OBA Icon and provides technical means for consumers to exercise transparency 
and control over OBA through an the www.youronlinechoices.eu online consumer choice 
platform. EDAA is governed by EU-level organisations which make up the value chain of OBA 
within Europe and acts to ensure European (and global) consistency in approach. For more 
information, please visit: www.edaa.eu 


Annex I - Self-certification criteria for signatories of the IAB Europe OBA Framework 
Date: 12 April 2012 
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1. Introduction 

Established in 1998, IAB Europe exists to support and promote the growth of the European 
digital and interactive marketing industry. Representing 27 National IABs and Partners across 
Europe and over 5,500 companies, IAB Europe is the trade association of the European digital 
and interactive marketing industry. 


IAB Europe has published the “European Framework for Online Behavioural Advertising” that 
will increase transparency and control for Online Behavioural Advertising. This signatory-based 
Online Behavioural Advertising Framework of IAB Europe (herein referred to as the ‘IAB 
Europe OBA Framework’) is an integral part of the European Advertising Standards Alliance’s 
(‘EASA’) comprehensive self-regulatory Best Practice Recommendation (‘BPR’) for Online 
Behavioural Advertising. 


The IAB Europe OBA Framework lays down a structure for codifying industry good practices 
and establishes certain Principles to increase transparency and choice for web users within the 
EU/EEA. The Principles are intended to apply consumer friendly standards to Online 
Behavioural Advertising and the collection of online data in order to facilitate the delivery of 
advertising based on the preferences or interests of web users. 


Under Principle VI - Compliance and Enforcement Programmes, the IAB Europe OBA 
Framework states that: 


“Following the adoption of this Framework and the Icon each Company should comply and self 
certify by 30 June 2012. Companies adopting the Framework later than 1 January 2012 should 
comply and self certify within 6 months of adopting the Framework and the Icon.” 


In line with the above, this document aims to provide signatories of the IAB Europe OBA 
Framework with a comprehensive set of criteria for self-certification of compliance. Self- 
certification of compliance shall be limited to those requirements applicable to each signatory’s 
business model; however, should a signatory be subject to multiple obligations, self-certification 
must cover all such applicable provisions. In other words, if a signatory fulfils more than one 
role in the advertising eco-system, then it should comply with the requirements applicable to 
each of these roles. 


Self-certification of compliance under this document and the IAB Europe OBA Framework does 
not exempt Companies from fulfilling their obligations under applicable national laws. 


This document is based on the JAB Europe OBA Framework, EASA Best Practice Recommendation 
on Online Behavioural Advertising and the Technical Specifications for implementing the IAB 
Europe OBA Framework and EASA BPR in Europe. 
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2. General criteria for self-certification of compliance 

Under the terms of the IAB Europe OBA Framework and EASA Best Practice Recommendation on 
Online Behavioural Advertising, a number of provisions apply equally to all signatories, 
regardless of their role in the online advertising value chain. 


2.1. Data security 


2.1.1. Safeguards 


Companies should maintain appropriate physical, electronic, and administrative safeguards to 
protect the data collected and used for OBA purposes, including any backups. Some examples 
for how this could potentially be done - but not limited to: 


1. Appropriate physical safeguards. Companies may implement internal processes for 
ensuring OBA data security from a physical perspective. Physical access to OBA data 
could, even within the company, be granted only based on business reasons and all 
access should be monitored and logged as part of standard business practice. 


2. Appropriate electronic safeguards. Companies could implement electronic data 
protection tools against unauthorised access, including (but not limited to) data 
encryption or firewalls. 


3. Appropriate administrative safeguards. Companies could implement appropriate 
administrative measures, such as, if applicable, specific clauses in contracts with 
employees, partners or contractors, or any internal procedures designed to prevent 
unauthorised access. 


2.1.2. Data Storage 


Companies should retain data that is collected and used for OBA only for as long as necessary to 
fulfil a legitimate business need, or as required by law. Some examples for how this could 
potentially be done - but not limited to: 


1. Seta reasonable validity interval on any data collected for OBA purposes. 


2. Delete data collected for OBA purposes when the validity interval has been exceeded. 


22: Sensitive Segmentation 


2.2.1. Children’s segmentation 


Companies will not create segments for OBA purposes that are specifically designed to target 
children (age 12 and under). While this does not mean that ad delivery will cease, it means that no 
advertisements specifically targeted for age 12 and under will be delivered to this category. 


2.2.2. Other sensitive segments 


Should a Company seek to create or use such OBA segments relying on use of sensitive personal 
data, as defined under Article 8.1 of Directive 95/46/EC (racial or ethnic origin, political opinions, 
religious or philosophical beliefs, trade-union membership, health, sex-life), they must obtain a web 
user’s Explicit Consent, prior to engaging in OBA using that information. 
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2.3. Education 


Companies that engage in OBA should provide information to inform individuals and businesses 
about OBA, including easily accessible information about how data for OBA purposes is obtained, 
how it is used and how web user choice may be exercised. 


Some examples for how this could potentially be done - but not limited to: 


1. Provide information regarding their OBA business practices, either via pages on 
Companies’ own site(s), or by linking to the OBA User Choice Site. This information 
should contain, at a minimum, a description of: 

a. What OBA means and how OBA works 

b. How OBA is used by the Company 

c. How data for OBA purposes is collected, stored, processed and used 
d. How user choice may be exercised 

2. Information provided should be made easily accessible for users; this can be done by 
creating a link on the footer of the site, on the home page or on the general Terms and 
Conditions page, unless stated otherwise in the “Specific criteria and best-practice 
recommendations for self-certification of compliance” section below 

3. Information should be provided in a language easily understood by the average Internet 
user (i.e. avoiding where possible technical terms and specialised wording) 


2.4. Complaints handling 


Web users may make complaints about incidents of suspected non-compliance with the 
Principles of the IAB Europe OBA Framework. While web users will have available a number of 
ways to make complaints, Companies must ensure that, regardless of what means the user uses 
to submit the complaint (whether directly to the Company or through an industry or self- 
regulatory body), proper processes are in place to ensure a timely and satisfactory response 
and resolution of the issue, if necessary. 


In order to be compliant, companies should: 


1. Implement and ensure efficient and timely functioning of internal complaint handling 
mechanisms. It is recommended that the time interval to respond to user complaints 
should not be more than 7 days and should address the substance of the complaint. 


2. Implement an easily accessible mechanism for complaints to be filed directly with 
companies. 


3. Ensure an efficient process in place for responding to enquiries made by national self- 
regulatory bodies on OBA-related issues and formal unresolved OBA complaints. 


4. Adhere to the enquiring self-regulatory organisation’s procedures for complaint 
handling}. 


1 Different national self-regulatory bodies may apply slightly different complaints handling procedures; 
as such, should a complaint be filed-in with a self-regulatory body, the enquiry to be further made by the 
SRO to the company will be accompanied by the relevant set of procedures. Pan-European companies 
wishing to receive information in advance about the generic procedures followed by the self-regulatory 
bodies in Europe can address a request to the European Advertising Standards Alliance (EASA). 
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3. Specific criteria and best-practice recommendations for self- 


certification of compliance 
Under the terms of the IAB Europe OBA Framework and EASA Best Practice Recommendation on 
Online Behavioural Advertising, a number of provisions apply differently to signatories, 
according to their role in the online advertising value chain. A signatory can simultaneously play 
several roles; in such circumstances, self-certification must cover all applicable provisions. 


For the purposes of this document, a number of roles have been identified: 


e Advertisers. An Advertiser is an entity that pays for the production, execution, and 
placement of an online advertisement, usually for a product or service that he produces. 


e Agencies. An Agency is an entity that manages the production, execution, or placement 
of an online advertisement on behalf of the Advertiser. 


e Third Parties. As defined by the IAB Europe OBA Framework, an entity is a Third Party 
to the extent that it engages in Online Behavioural Advertising on a web site or web sites 
other than a web site or web sites it or a an entity under Common Control owns or 
operates. The following (but not limited to) can be examples of Third Parties: 


o Ad Networks. An Ad Network is an entity that connects Advertisers to web sites 
that host online advertisements, optimizing value for both Advertiser and 
Publisher. 


o Ad Servers. Ad Servers are entities that provide specialized software to 
Publishers, Advertisers and Ad Networks to deliver and report on online 
advertising campaigns. 


o OBA Providers. An OBA Provider is an entity that develops and uses or provides 
in the marketplace technology to collect data for OBA purposes and to deliver 
OBA Ads?. 


o Ad Exchanges. Ad Exchanges represent technology platforms that facilitate 
automated auction-based pricing and buying of online advertising inventory in 
real-time. Ad Exchanges represent a sales channel to Publishers and Ad 
Networks, and a source of online advertising inventory for Advertisers and 
Agencies. 


o Demand Side Platforms. A Demand Side Platform (DSP) is a system that allows 
Advertisers to manage their bids across multiple Ad Exchanges in order to 
minimize expenditure while maximizing results. 


o Supply Side Platforms. A Supply Side Platform (SSP) is a system that allows 
Publishers to automate the management of their inventory across multiple Ad 
Exchanges or Ad Networks, in order to maximize income. 


e Publishers. A Publisher is the owner, controller or operator of the web site with which 
the web user interacts. The IAB Europe OBA Framework refers to the Publisher as being 
the Web Site Operator. 


2 As defined in the Technical Specifications for implementing the IAB Europe OBA Framework and EASA 
BPR in Europe 
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3.1.1. Self-certification of compliance - Third Parties 


IAB Europe OBA Framework defines a Third Party as an entity that engages in Online 
Behavioural Advertising on a web site or web sites other than a web site or web sites it or a an 
entity under Common Control owns or operates. 


Third Parties have a series of obligations under the IAB Europe OBA Framework and EASA BPR 
on OBA. 


Third Party Privacy Notice 

Third Parties should give clear and comprehensible notice on their websites describing their 
OBA data collection and use practices. For the purposes of this document, ‘clear and 
comprehensible’ should be defined as simple, layman’s language; also, the link to the respective 
notice should be easily accessible for the users (i.e. clear link on the homepage) and should be 
distinct from the “Terms and Conditions” section. 


The notice should include the following information: 
e Third party’s identity and contact details; 


e The types of data collected and used for the purpose of providing OBA, including an 
indication as to whether any data collected is “personal data” or “sensitive personal 
data” as defined by the relevant national implementation of Directive 95/46/EC; 


e The purpose or purposes for which OBA data is processed and the recipients or 
categories of recipients not under Common Control to whom such data might be 
disclosed; 


e Alink to the OBA User Choice Site; 


e An easy-to-use mechanism for allowing Internet users to exercise choice with regard to 
the collection and use of data for OBA purposes and to the transfer of such data to Third 
Parties for OBA; this mechanism can be either a link to the opt-out page of the OBA User 
Choice Site or a more advanced User Preference Management tool implemented by the 
Third Party on its own web page. 


e A statement to the effect that the Company adheres to these Principles: 


Third Party Enhanced Notice 

Third Parties should provide “enhanced notice” of the collection and use of data for OBA 
purposes via the Ad Marker in or around the advertisement, in accordance with the provisions 
of Technical Specifications for implementing the IAB Europe OBA Framework and EASA BPR in 
Europe. 


Regardless of various arrangements with Web Site Operators or Agencies/Advertisers, the 
responsibility to display the enhanced notice belongs to Third Parties. For this reason, should a 
Third Party fail to comply with the enhanced notice obligations, it is the Third Party and not the 
Web Site Operator or Agency/Ad Server that will be considered to be non-compliant. 


In order to display the Enhanced Notice, the Third Party must have a licence; in the European 
Union/European Economic Area (EU/EEA) the relevant licence can only be obtained from the 
European Digital Advertising Alliance, under specific terms and conditions. 


User Choice 

Each Third Party should make available a mechanism for web users to exercise their choice with 
respect to the collection and use of data for OBA purposes and the transfer of such data to Third 
Parties for OBA. 
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In practice, this means: 


1. There should be a clear link from the Ad Marker or from the interstitial page3 to the OBA 
User Choice Site. 


2. Integration of the Third Party with the user choice mechanism hosted on the OBA User 
Choice Site must be in place and work reliably over time; this obligation refers mainly to 
OBA Providers or any Third Parties using their own means to uniquely identify a 
browser (i.e. cookies or any other technical solutions). 


3. The practice of using technologies in order to circumvent the user’s express choices (for 
example by deliberately “re-spawning” deleted cookies), is not regarded as compliant 
with data protection law and should not be used. 


Explicit consent 

To the extent that Companies collect and use data via specific technologies or practices that are 
intended to harvest data from all or substantially all URLs traversed by a particular computer or 
device across multiple web domains and use such data for OBA, they should first obtain Explicit 
Consent. 


Also, any Company seeking to create or use such OBA segments relying on use of sensitive 
personal data as defined under Article 8.1 of Directive 95/46/EC will obtain a web user’s 
Explicit Consent, in accordance with applicable law, prior to engaging in OBA using that 
information. Sensitive personal data, as defined under Article 8.1 of Directive 95/46/EC, 
represent: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade- 
union membership, health, sex-life. 


Explicit Consent is defined by the IAB Europe OBA Framework as “an individual's freely given 
specific and informed explicit action in response to a clear and comprehensible notice regarding 
the collection and use of data for Online Behavioural Advertising purposes”. As a consequence, in 
order for a company to be compliant, the following conditions must be fulfilled simultaneously: 


1. The user must have been informed, in own language and with simple, non-technical 
wording, that all or most of their browsing activities will be collected and stored, in 
order to be used later for OBA purposes. 


2. The consent must be given specifically for the collection and use of data for OBA 
purposes (i.e. a company is not compliant if the user gives Explicit Consent to data 
collection and use, but OBA is not specifically mentioned or is mentioned in an 
ambiguous manner). 


3. Explicit Consent must be freely given, meaning that it must not be induced in any way, 
by (but not limited to) suggesting users that certain browsing functionalities would not 
be available or their online experience might be impaired by not consenting. 


4. When obtaining Explicit Consent companies must also inform users that the Explicit 
Consent can be withdrawn at any time: 


a. Users must be provided with an easy to use mechanism to withdraw their 
Explicit Consent to the collection and use of OBA data; 


b. There must be a clear, dedicated link (i.e. not in the Terms and Conditions or a 
similar page) from the company’s home page to the withdrawal mechanism; 


3As per the Technical Specifications for implementing the IAB Europe OBA Framework and EASA BPR in 
Europe 
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c. While the wording that should appear on the link is not prescribed, it must be 
easily understood by the users; 


d. The withdrawal mechanism should be simple and should not ask users for any 
additional data; 


e. Once the user has withdrawn the Explicit Consent, collection and use of OBA 
data must stop. 


3.1.2. Best practice recommendation - Advertisers 


Advertisers have no specific obligations under the terms of the IAB Europe OBA Framework and 
EASA BPR on OBA. However, if the Advertiser, on its own site, permits data to be collected by 
Third Parties in order to be used on a web site not under Common Control‘ for OBA purposes, 
the Advertiser is acting as a Web Site Operator5, and therefore should provide adequate 
disclosure of this arrangement. For further details please see section 3.1.4 below: Best practice 
recommendation - Publishers. 


Also, while not an obligation in itself, Advertisers should be aware that it is envisaged that the 
penalties for non-compliant players (Ad Networks, Third Parties, Publishers) are removal of the 
B2B seal and communication of the failure to comply to the market and the publics. It is 
therefore recommended that signatories acting as Advertisers consider the compliance status of 
their suppliers when conducting business transactions. 


3.1.3. Best practice recommendation - Agencies 


Agencies have no direct specific obligations under the terms of the IAB Europe OBA Framework 
and EASA BPR on OBA. Agencies, however, play a key role in serving the Ad Marker; while this 
does not mean that Agencies take responsibility or assume liability that the Ad Marker will 
always be served in the correct place, practical considerations may dictate that the Ad Marker is 
served by the Originating ad server (usually the Agency ad server)’. 


Similar to the situation for Advertisers, while not an obligation in itself, Agencies should be 
aware that it is envisaged that the penalties for non-compliant players (Ad Networks, Third 
Parties, Publishers) are removal of the B2B seal8 and communication of the failure to comply to 
the market and the public?. It is therefore recommended that signatories acting as Agencies 
consider the compliance status of their suppliers when conducting business transactions. 


3.1.4. Best practice recommendation - Publishers 


The IAB Europe OBA Framework strongly recommends that Web Site Operators inform Internet 
users about OBA data collection by Third Parties on their sites. As defined in the Technical 
Specifications for implementing the IAB Europe OBA Framework and EASA BPR in Europe, Web 
Site Operators should provide this “adequate disclosure” via a link in the footer, having the 
following characteristics: 


4 As defined in the IAB Europe OBA Framework 

5 As defined in the IAB Europe OBA Framework 

6 As per the EASA BPR on OBA, principle IV - Compliance and Enforcement Programmes 

7 As defined in the Technical Specifications for implementing the IAB Europe OBA Framework and EASA 
BPR in Europe 

8 The B2B trading seal is granted by one of the approved certification providers selected by the OBA 
industry coalition. Details of the approved certification providers will be published on the EDAA 
(European Digital Advertising Alliance) website before the end of Q2 2012. 

9 As per the EASA BPR on OBA, principle IV - Compliance and Enforcement Programmes 
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e The link is placed in the footer of all pages, and is distinct from the “Terms and 
Conditions” link; 


e The exact wording of the link itself is not prescribed, but it should be self-explanatory 
(i.e. the average visitor to the site would understand that by clicking on the link he/she 
will be redirected to a page where information about data collection on the site is 
presented)10; 


e A user clicking on the link is presented with an information page containing at least the 
following: 


o A list of Third Parties who are active on the site and with which the user, 
wittingly or unwittingly, may be interacting; 


o Links to further information on OBA and online privacy, including the OBA User 
Choice Site; 


o Any other information that supports user understanding and the aims of the IAB 
Europe OBA Framework. 


4. Notification of self-certification 

EDAA will maintain and update, on its website, a list of signatory companies that are self- 
certified. As such, once the criteria for self-certification of compliance are fulfilled, companies 
will notify EDAA via an on-line form; this form will be made available on EDAA’s website before 
1 June 2012. Companies that have signed the IAB Europe OBA Framework before 1 January 
2012 must become compliant and self-certify by 30 June 2012; companies that sign the IAB 
Europe OBA Framework after 1 January 2012 must become compliant and self-certify within 6 
months of the signing date. 


Contact 


training@iabeurope.eu 
IAB Europe 

The Egg 

Rue Barastraat 175 
1070 Brussels 

Belgium 
www.iabeurope.eu 


10Examples of text can be found in the Technical Specifications for implementing the IAB Europe OBA 
Framework and EASA BPR in Europe 
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5. Frequently Asked Questions 


1. Whatis the deadline to become self-certified? 


Companies that have signed the IAB Europe OBA Framework before 1st of January 2012 must 
comply and self-certify by 30 June 2012. All other signatories should comply and self certify 
within 6 months of adopting the Framework. 


2. Iam nota Third Party. Do I still need to submit to an independent auditor? 


No. The IAB Europe OBA Framework clearly states, “Companies that are subject to Principle II 
shall submit to independent audits of their self-certification”. Principle II of the IAB Europe OBA 
Framework applies to: (a) Third Parties and (b) Companies that “collect and use data via 
specific technologies or practices that are intended to harvest data from all or substantially all 
URLs traversed by a particular computer or device across multiple web domains and use such 
data for OBA”. 


3. Iam nota Third Party. What do I need to do in order to be self-certified? 


In order to be self-certified you have to implement business processes and, if the case, 
technologies, to fulfil the provisions of the General criteria for self-certification of compliance 
section of this document. Also, as a best-practice recommendation, you might want to consider 
the provisions of the applicable (according to your role in the digital advertising eco-system) 
sub-section of the Specific criteria and best-practice recommendations for self-certification of 
compliance section. 


4. Asa Third Party, what do I need to do in order to be self-certified? 


In order to be self-certified you have to implement business processes and, if the case, 
technologies, to fulfil the provisions of the General criteria for self-certification of compliance 
section of this document. You should also fulfil the provisions of the Self-certification of 
compliance - Third Parties subsection above. 


5. Iam a Third Party as defined in the IAB Europe OBA Framework. What does self- 
certification mean for me? 


Self-certification is a first step in order to be granted with the Business to Business (B2B) 
trading seal certifying that you are compliant with the industry self-regulatory Programme on 
OBA as stated in the IAB Europe OBA Framework. 


6. Who grants the B2B trading seal? 


The B2B trading seal is granted by one of the approved certification providers selected by the 
OBA industry coalition. Details of the approved certification providers will be published on the 
IAB Europe and EDAA (European Digital Advertising Alliance) websites before the end of Q2 
2012. 
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